Beware of the Malicious Chrome Extension Stealing Cryptocurrency

A new threat has emerged for cryptocurrency holders: the malicious Chrome extension "Bull Checker."

Although it posed as a harmless tool, it covertly stole assets from users' wallets after transactions.

Discover the tactics used by Bull Checker and why you should be vigilant when installing browser extensions.

The Report on the Malicious Chrome Extension "Bull Checker"

On August 20, 2024, Jupiter, a Solana (SOL) based DEX aggregator, issued a warning regarding a malicious Google Chrome extension called "Bull Checker."

Jupiter had received reports over the past week from a small number of users who had their assets stolen while using Solana-related decentralized finance (DeFi) services.

Upon investigation, it was revealed that the malicious "Bull Checker" Chrome extension had been targeting users across multiple Solana-related subreddits.

Although "Bull Checker" appears to function like a legitimate extension, it poses a significant risk. After completing transactions, it may illegally transfer tokens to another wallet. Users who have installed this extension are strongly urged to delete it immediately.

Fortunately, as of the time of reporting, no vulnerabilities have been found in decentralized applications (DApps) or wallets. Below is a summary of the findings related to the "Bull Checker."

What is "Bull Checker"?

Bull Checker was a malicious Google Chrome extension that was promoted as a tool for verifying meme coin holders.

However, using this extension could result in the theft of cryptocurrency from users' wallets. (Note: The extension has since been removed.)

Even after installing this extension, users could use DApps as usual, and simulations would display normally. However, after a transaction was completed, users’ tokens could be illegally transferred to another wallet.

While Bull Checker has already been removed from the Chrome Web Store, similar extensions could be released in the future. It's crucial to understand these tactics and avoid installing untrustworthy extensions.

The Mechanism and Issues of Bull Checker

Bull Checker operated by lying in wait after installation until the user interacted with official DApps on their domain.

Before sending the transaction to the wallet, the malicious program would alter its contents. Despite this tampering, the simulation results would still appear "normal," concealing the fraudulent activity.

Although Bull Checker was promoted as a "read-only extension" for verifying meme coin holders, it had the authority to read and modify all data on websites, raising serious security concerns.

Users should be extremely cautious when installing extensions with permissions to both read and modify data. Despite these risks, Bull Checker was installed by multiple users.

If you use Chrome extensions, it is essential to be wary of those that request "Read" and "Change" permissions. If an extension seems suspicious, uninstall it immediately.

Promotion of the Extension Through Reddit Confirmed

The investigation also revealed that an anonymous Reddit account named "Solana_OG" was promoting the Bull Checker extension.

This individual appeared to target users who were trading meme coins, directing them to download the Bull Checker extension.

It is crucial not to trust extensions or apps solely based on positive reviews on Reddit, social media, or websites.

Extensions that request more permissions than necessary require particular caution. Before installing any extension, it is vital to thoroughly verify its trustworthiness.

>> For the latest news on cryptocurrency fraud, click here